NIST readies new standards for biometric ID cards

By Mark Rockwell

Jun 28, 2013

Federal agencies looking to incorporate iris recognition authentication add-on capabilities to their Personal Identity Verification cards will soon get some expert help from the National Institute of Standards and Technology.

In July, NIST is set to release a key biometric reference that federal and federal contractors can use to develop identification cards under the Federal Information Processing Standard 201 (FIPS-201), Personal Identity Verification.

Charles Romine, director of NIST’s Information Technology Lab, in an email to FCW, provided some of the details that will be contained in the Special Publication 800-76-2, Biometric Data Specification for Personal Identity Verification.

The document has been eagerly awaited by lawmakers and federal agencies hungry for technical guidance on how to incorporate more-secure biometric identifiers on official identification credentials.

NIST’s development work on the document came under heavy criticism during a June 19 hearing by the House Oversight and Government Reform Committee's Subcommittee on Government Operations on biometric identification cards. Subcommittee Chairman John Mica (R-Fla.) and subcommittee Ranking Minority Member Gerry Connolly (D-Va.) lamented the lack of technical guidance for federal agencies in developing identification documents that incorporated iris and fingerprint biometric information. They railed against Romine’s predecessor, former information technology lab director Cita Furlani, who promised the committee that the same iris recognition/fingerprint biometric guidance would be available more than a year ago, but then retired without providing it.

At the latest June hearing, Romine told lawmakers the institute would release the biometric reference within 30 days.

The document, developed in conjunction with federal agencies, industry and industry stakeholders, extends biometric specifications of an initial 2007 edition release, said Romine.

Romine said NIST SP 800-76-2 will include specifications for federal agencies to use iris recognition as an optional add-on for authentication of their PIV cardholders. It will describe technical acquisition and formatting specifications for the biometric credentials of the PIV system, including the PIV Card itself, he said. It also details procedures and formats for fingerprints, iris and facial images.

Specific enhancements in the 2013 edition include the adoption of a specialized compact and formally standardized iris image format to provide agencies with another option for authenticating PIV cardholders.

The iris specifications in NIST SP 800-76-2, he said, are based on specialized iris image format requirements for compact storage in the international standard, ISO/IEC 19794-6:2011.

Additionally, images of one or both eyes may be placed on the card – each image size will have size of no more than 3 kilobytes per eye which supports compact on-card storage and fast reading times, he said. The document also includes performance specifications for iris biometrics to ensure accuracy, and provide guidance on iris camera selection by providing specifications. The standards-based elements specifications support interoperable authentication within and across agencies that may choose to use iris recognition. The fingerprint on-card comparison, said Romine, allows activation of PIV cards without entering a PIN. While not required, he said, agencies can use this technology at their option.

Note: This article was updated on July 1 to correct the misidentification of NIST's former information technology lab director Cita Furlani.

About the Author

Mark Rockwell is a staff writer at FCW.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Reader comments

Mon, Jul 1, 2013

I have eye issues already, I wonder what a continuous bombarding of my eye with the light required to read the iris print will do in the long term to the eye. After all, laser workers have to use glasses while using lased light to prevent eye damage even from indirect lased light, this is putting it right into the eye.

Mon, Jul 1, 2013

These standards are good... but let's not fool ourselves into thinking that PIV-stored biometric data really adds another full factor of authenitication. PKI and soon this iris data is still held physically with a card pown'd by a not-yet-authenticated actor. Only if the iris-scan's data (or hash) is sent to and confirmed by the remote service could it be considered another, full factor of authentication.

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.